memory leak in dns_message_checksig function - SIG(0) without view
Reproduced using code from !5923 (merged) commit 4a3aa7abc8fb0610a807dcbd5ca34af1b332d97e.
It was caught by AFL fuzzer when tests were crashing wildly.
AFL output:
american fuzzy lop ++4.02c {default} (.libs/lt-dns_message_checksig) [fast]
┌─ process timing ────────────────────────────────────┬─ overall results ────┐
│ run time : 0 days, 0 hrs, 0 min, 26 sec │ cycles done : 14 │
│ last new find : 0 days, 0 hrs, 0 min, 0 sec │ corpus count : 117 │
│last saved crash : 0 days, 0 hrs, 0 min, 4 sec │saved crashes : 27 │
│ last saved hang : none seen yet │ saved hangs : 0 │
├─ cycle progress ─────────────────────┬─ map coverage┴──────────────────────┤
│ now processing : 31.274 (26.5%) │ map density : 0.31% / 1.41% │
│ runs timed out : 0 (0.00%) │ count coverage : 1.45 bits/tuple │
├─ stage progress ─────────────────────┼─ findings in depth ─────────────────┤
│ now trying : havoc │ favored items : 60 (51.28%) │
│ stage execs : 117/220 (53.18%) │ new edges on : 76 (64.96%) │
│ total execs : 1.62M │ total crashes : 158 (27 saved) │
│ exec speed : 61.6k/sec │ total tmouts : 0 (0 saved) │
├─ fuzzing strategy yields ────────────┴─────────────┬─ item geometry ───────┤
│ bit flips : disabled (default, enable with -D) │ levels : 8 │
│ byte flips : disabled (default, enable with -D) │ pending : 27 │
│ arithmetics : disabled (default, enable with -D) │ pend fav : 0 │
│ known ints : disabled (default, enable with -D) │ own finds : 114 │
│ dictionary : n/a │ imported : 0 │
│havoc/splice : 93/655k, 48/959k │ stability : 99.27% │
│py/custom/rq : unused, unused, unused, unused ├───────────────────────┘
│ trim/eff : 32.43%/2274, disabled │ [cpu000: 25%]
└────────────────────────────────────────────────────┘^C
+++ Baking aborted by the chef +++
[+] We're done here. Have a nice day!
Reproducer:
autoreconf -fiv
CC='afl-clang-fast' CFLAGS='-O2 -march=native' CPPFLAGS='-D_FORTIFY_SOURCE=0' ./configure --enable-fuzzing=afl
make
cd fuzz
make check # fails, but nevermind
./dns_message_checksig
This will print a message with a value you sound set in the next step. E.g.
Warning: AFL++ tools might need to set AFL_MAP_SIZE to 67237 to be able to run this instrumented program if this crashes!
Go on:
AFL_MAP_SIZE=67237 afl-fuzz -i dns_message_checksig.in -o dns_message_checksig.out .libs/lt-dns_message_checksig
Versions used:
$ pacman -Q afl clang
aflplusplus 4.02c-1
clang 14.0.6-2
BIND 90949da78f048eca660417906a25165de676e8c1
Edited by Petr Špaček